14520Snw141292 /*
24520Snw141292  * CDDL HEADER START
34520Snw141292  *
44520Snw141292  * The contents of this file are subject to the terms of the
54520Snw141292  * Common Development and Distribution License (the "License").
64520Snw141292  * You may not use this file except in compliance with the License.
74520Snw141292  *
84520Snw141292  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
94520Snw141292  * or http://www.opensolaris.org/os/licensing.
104520Snw141292  * See the License for the specific language governing permissions
114520Snw141292  * and limitations under the License.
124520Snw141292  *
134520Snw141292  * When distributing Covered Code, include this CDDL HEADER in each
144520Snw141292  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
154520Snw141292  * If applicable, add the following below this CDDL HEADER, with the
164520Snw141292  * fields enclosed by brackets "[]" replaced with your own identifying
174520Snw141292  * information: Portions Copyright [yyyy] [name of copyright owner]
184520Snw141292  *
194520Snw141292  * CDDL HEADER END
204520Snw141292  */
214520Snw141292 
224520Snw141292 /*
234520Snw141292  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
244520Snw141292  * Use is subject to license terms.
254520Snw141292  */
264520Snw141292 
274520Snw141292 #ifndef _ADUTILS_H
284520Snw141292 #define	_ADUTILS_H
294520Snw141292 
304520Snw141292 #pragma ident	"%Z%%M%	%I%	%E% SMI"
314520Snw141292 
324520Snw141292 #ifdef __cplusplus
334520Snw141292 extern "C" {
344520Snw141292 #endif
354520Snw141292 
364520Snw141292 /*
374520Snw141292  * Processes name2sid & sid2name lookups for a given user or computer
384520Snw141292  * from an AD Difrectory server using GSSAPI authentication
394520Snw141292  */
404520Snw141292 
414520Snw141292 #include <stdio.h>
424520Snw141292 #include <stdlib.h>
434520Snw141292 #include <unistd.h>
444520Snw141292 #include <lber.h>
454520Snw141292 #include <ldap.h>
464520Snw141292 #include <sasl/sasl.h>
474520Snw141292 #include <string.h>
484520Snw141292 #include <ctype.h>
494520Snw141292 #include <sys/types.h>
504520Snw141292 #include <time.h>
514520Snw141292 #include <thread.h>
524520Snw141292 #include <synch.h>
534520Snw141292 #include "idmap_prot.h"
544520Snw141292 #include <sys/idmap.h>
554520Snw141292 
564520Snw141292 /*
574520Snw141292  * idmapd interfaces stolen? from other idmapd code?
584520Snw141292  */
594520Snw141292 
604520Snw141292 /*
614520Snw141292  * Eventually these should be an enum here, but instead we share a
624520Snw141292  * namespace with other things in idmapd.
634520Snw141292  */
644520Snw141292 #define	_IDMAP_T_OTHER		0
65*5731Sbaban #define	_IDMAP_T_UNDEF		-1
664520Snw141292 #define	_IDMAP_T_USER		-1004
674520Snw141292 #define	_IDMAP_T_GROUP		-1005
684520Snw141292 #define	_IDMAP_T_DOMAIN		-1006
694520Snw141292 #define	_IDMAP_T_COMPUTER	-1007
704520Snw141292 
714520Snw141292 #define	SID_MAX_SUB_AUTHORITIES	15
724520Snw141292 #define	MAXBINSID	(1 + 1 + 6 + (SID_MAX_SUB_AUTHORITIES * 4))
734520Snw141292 #define	MAXHEXBINSID	(MAXBINSID * 3)
744520Snw141292 
754520Snw141292 typedef uint32_t rid_t;
764520Snw141292 
774520Snw141292 /*
784520Snw141292  * We use the port numbers for normal LDAP and global catalog LDAP as
794520Snw141292  * the enum values for this enumeration.  Clever?  Silly?  You decide.
804520Snw141292  * Although we never actually use these enum values as port numbers and
814520Snw141292  * never will, so this is just cute.
824520Snw141292  */
834520Snw141292 typedef enum idmap_ad_partition {
844520Snw141292 	IDMAP_AD_DATA = 389,
854520Snw141292 	IDMAP_AD_GLOBAL_CATALOG = 3268
864520Snw141292 } idmap_ad_partition_t;
874520Snw141292 
884520Snw141292 typedef struct ad ad_t;
894520Snw141292 typedef struct idmap_query_state idmap_query_state_t;
904520Snw141292 
914520Snw141292 /*
924520Snw141292  * Idmap interfaces:
934520Snw141292  *
944520Snw141292  *  - an ad_t represents an AD partition
954520Snw141292  *  - a DS (hostname + port, if port != 0) can be added/removed from an ad_t
964520Snw141292  *  - and because libldap supports space-separated lists of servers, a
974520Snw141292  *  single hostname value can actually be a set of hostnames.
984520Snw141292  *  - an ad_t can be allocated, ref'ed and released; last release
994520Snw141292  *  releases resources
1004520Snw141292  *
1014520Snw141292  *  - lookups are batched; see below.
1024520Snw141292  *
1034520Snw141292  * See below.
1044520Snw141292  */
1054520Snw141292 
1064520Snw141292 /* Allocate/release ad_t objects */
1074520Snw141292 int idmap_ad_alloc(ad_t **new_ad, const char *default_domain,
1084520Snw141292 		idmap_ad_partition_t part);
1094520Snw141292 void idmap_ad_free(ad_t **ad);
1104520Snw141292 
1114520Snw141292 /* Add/remove a DS to/from an ad_t */
1124520Snw141292 int idmap_add_ds(ad_t *ad, const char *host, int port);
1134520Snw141292 void idmap_delete_ds(ad_t *ad, const char *host, int port);
1144520Snw141292 
1154520Snw141292 /*
1164520Snw141292  * Batch lookups
1174520Snw141292  *
1184520Snw141292  * Start a batch, add queries to the batch one by one (the output
1194520Snw141292  * pointers should all differ, so that a query's results don't clobber
1204520Snw141292  * any other's), end the batch to wait for replies for all outstanding
1214520Snw141292  * queries.  The output parameters of each query are initialized to NULL
1224520Snw141292  * or -1 as appropriate.
1234520Snw141292  *
1244520Snw141292  * LDAP searches are sent one by one without waiting (i.e., blocking)
1254520Snw141292  * for replies.  Replies are handled as soon as they are available.
1264520Snw141292  * Missing replies are waited for only when idmap_lookup_batch_end() is
1274520Snw141292  * called.
1284520Snw141292  *
1294520Snw141292  * If an add1 function returns != 0 then abort the batch by calling
1304520Snw141292  * idmap_lookup_batch_end(), but note that some queries may have been
1314520Snw141292  * answered, so check the result code of each query.
1324520Snw141292  */
1334520Snw141292 
1344520Snw141292 /* Start a batch of lookups */
1354520Snw141292 idmap_retcode idmap_lookup_batch_start(ad_t *ad, int nqueries,
1364520Snw141292 		idmap_query_state_t **state);
1374520Snw141292 
1384520Snw141292 /* End a batch and release its idmap_query_state_t object */
1394520Snw141292 idmap_retcode idmap_lookup_batch_end(idmap_query_state_t **state,
1404520Snw141292 		struct timeval *timeout);
1414520Snw141292 
1424520Snw141292 /* Abandon a batch and release its idmap_query_state_t object */
1434884Sjp151216 void idmap_lookup_release_batch(idmap_query_state_t **state);
1444520Snw141292 
1454520Snw141292 /*
1464520Snw141292  * Add a name->SID lookup
1474520Snw141292  *
1484520Snw141292  *  - 'dname' is optional; if NULL or empty string then 'name' has to be
1494520Snw141292  *  a user/group name qualified wih a domainname (e.g., foo@domain),
1504520Snw141292  *  else the 'name' must not be qualified and the domainname must be
1514520Snw141292  *  passed in 'dname'.
1524520Snw141292  *
1534520Snw141292  *  - if 'rid' is NULL then the output SID string will include the last
1544520Snw141292  *  RID, else it won't and the last RID value will be stored in *rid.
1554520Snw141292  *
1564520Snw141292  *  The caller must free() *sid.
1574520Snw141292  */
1584520Snw141292 idmap_retcode idmap_name2sid_batch_add1(idmap_query_state_t *state,
159*5731Sbaban 		const char *name, const char *dname, int eunixtype,
1605696Snw141292 		char **canonname, char **sid, rid_t *rid, int *sid_type,
161*5731Sbaban 		char **unixname, idmap_retcode *rc);
1624520Snw141292 /*
1634520Snw141292  * Add a SID->name lookup
1644520Snw141292  *
1654520Snw141292  *  - 'rid' is optional; if NULL then 'sid' is expected to have the
1664520Snw141292  *  user/group RID present, else 'sid' is expected not to have it, and
1674520Snw141292  *  *rid will be used to qualify the given 'sid'
1684520Snw141292  *
1694520Snw141292  *  - 'dname' is optional; if NULL then the fully qualified user/group
1704520Snw141292  *  name will be stored in *name, else the domain name will be stored in
1714520Snw141292  *  *dname and the user/group name will be stored in *name without a
1724520Snw141292  *  domain qualifier.
1734520Snw141292  *
1744520Snw141292  *  The caller must free() *name and *dname (if present).
1754520Snw141292  */
1764520Snw141292 idmap_retcode idmap_sid2name_batch_add1(idmap_query_state_t *state,
177*5731Sbaban 		const char *sid, const rid_t *rid, int eunixtype,
178*5731Sbaban 		char **name, char **dname, int *sid_type,
179*5731Sbaban 		char **unixname, idmap_retcode *rc);
180*5731Sbaban 
181*5731Sbaban /*
182*5731Sbaban  * Add a unixname->SID lookup
183*5731Sbaban  */
184*5731Sbaban idmap_retcode idmap_unixname2sid_batch_add1(idmap_query_state_t *state,
185*5731Sbaban 		const char *unixname, int is_user, int is_wuser,
186*5731Sbaban 		char **sid, rid_t *rid, char **name, char **dname,
187*5731Sbaban 		int *sid_type, idmap_retcode *rc);
188*5731Sbaban 
189*5731Sbaban /*
190*5731Sbaban  * Set unixname attribute names for the batch for AD-based name mapping
191*5731Sbaban  */
192*5731Sbaban void idmap_lookup_batch_set_unixattr(idmap_query_state_t *state,
193*5731Sbaban 		const char *unixuser_attr, const char *unixgroup_attr);
1944520Snw141292 
1954520Snw141292 #ifdef __cplusplus
1964520Snw141292 }
1974520Snw141292 #endif
1984520Snw141292 
1994520Snw141292 #endif	/* _ADUTILS_H */
200